djkato/saleor-app-sdk-REDIS_APL
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Migrate to Jose and better error messages

Browse source
This commit is contained in:
Krzysztof Wolski 2022-08-04 18:37:31 +02:00
parent e203803505
commit fe2921dcdc
1 changed files with 37 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
src/middleware.ts
View file

@ -1,11 +1,10 @@
import crypto from "crypto"; import crypto from "crypto";
import * as jose from "jose"; import * as jose from "jose";
import jwt, { JwtPayload } from "jsonwebtoken";
import jwks, { CertSigningKey, RsaSigningKey } from "jwks-rsa";
import type { Middleware, Request } from "retes"; import type { Middleware, Request } from "retes";
import { Response } from "retes/response"; import { Response } from "retes/response";
import { SALEOR_DOMAIN_HEADER, SALEOR_EVENT_HEADER } from "./const"; import { SALEOR_AUTHORIZATION_BEARER_HEADER } from "./const";
import { getSaleorHeaders } from "./headers";
import { jwksUrl } from "./urls"; import { jwksUrl } from "./urls";
export const withBaseURL: Middleware = (handler) => async (request) => { export const withBaseURL: Middleware = (handler) => async (request) => {
@ -18,9 +17,9 @@ export const withBaseURL: Middleware = (handler) => async (request) => {
}; };
export const withSaleorDomainPresent: Middleware = (handler) => async (request) => { export const withSaleorDomainPresent: Middleware = (handler) => async (request) => {
const saleorDomain = request.headers[SALEOR_DOMAIN_HEADER]; const { domain } = getSaleorHeaders(request.headers);
if (!saleorDomain) { if (!domain) {
return Response.BadRequest({ return Response.BadRequest({
success: false, success: false,
message: "Missing Saleor domain header.", message: "Missing Saleor domain header.",
@ -34,11 +33,12 @@ export const withSaleorEventMatch =
<E extends string>(expectedEvent: `${Lowercase<E>}`): Middleware => <E extends string>(expectedEvent: `${Lowercase<E>}`): Middleware =>
(handler) => (handler) =>
async (request) => { async (request) => {
const receivedEvent = request.headers[SALEOR_EVENT_HEADER]; const { event } = getSaleorHeaders(request.headers);
if (receivedEvent !== expectedEvent) {
if (event !== expectedEvent) {
return Response.BadRequest({ return Response.BadRequest({
success: false, success: false,
message: "Invalid Saleor Event", message: `Invalid Saleor event. Expecting ${expectedEvent}.`,
}); });
} }
@ -61,15 +61,16 @@ export const withWebhookSignatureVerified =
(secretKey: string | undefined = undefined): Middleware => (secretKey: string | undefined = undefined): Middleware =>
(handler) => (handler) =>
async (request) => { async (request) => {
const ERROR_MESSAGE = "Webhook signature verification failed:";
if (request.rawBody === undefined) { if (request.rawBody === undefined) {
return Response.InternalServerError({ return Response.InternalServerError({
success: false, success: false,
message: "Request payload already parsed.", message: `${ERROR_MESSAGE} Request payload already parsed.`,
}); });
} }
const { [SALEOR_DOMAIN_HEADER]: saleorDomain, "saleor-signature": payloadSignature } = const { domain: saleorDomain, signature: payloadSignature } = getSaleorHeaders(request.headers);
request.headers;
if (secretKey !== undefined) { if (secretKey !== undefined) {
const calculatedSignature = crypto const calculatedSignature = crypto
@ -80,7 +81,7 @@ export const withWebhookSignatureVerified =
if (calculatedSignature !== payloadSignature) { if (calculatedSignature !== payloadSignature) {
return Response.BadRequest({ return Response.BadRequest({
success: false, success: false,
message: "Invalid signature.", message: `${ERROR_MESSAGE} Verification using secret key has failed.`,
}); });
} }
} else { } else {
@ -100,7 +101,7 @@ export const withWebhookSignatureVerified =
} catch { } catch {
return Response.BadRequest({ return Response.BadRequest({
success: false, success: false,
message: "Invalid signature.", message: `${ERROR_MESSAGE} Verification using public key has failed.`,
}); });
} }
} }
@ -108,7 +109,7 @@ export const withWebhookSignatureVerified =
return handler(request); return handler(request);
}; };
export interface DashboardTokenPayload extends JwtPayload { export interface DashboardTokenPayload extends jose.JWTPayload {
app: string; app: string;
} }
@ -116,37 +117,30 @@ export const withJWTVerified =
(getAppId: (request: Request) => Promise<string | undefined>): Middleware => (getAppId: (request: Request) => Promise<string | undefined>): Middleware =>
(handler) => (handler) =>
async (request) => { async (request) => {
const { [SALEOR_DOMAIN_HEADER]: saleorDomain, "authorization-bearer": token } = request.headers; const { domain, authorizationBearer: token } = getSaleorHeaders(request.headers);
const ERROR_MESSAGE = "JWT verification failed:";
if (token === undefined) { if (token === undefined) {
return Response.BadRequest({ return Response.BadRequest({
success: false, success: false,
message: "Missing token.", message: `${ERROR_MESSAGE} Missing ${SALEOR_AUTHORIZATION_BEARER_HEADER} header.`,
}); });
} }
let tokenClaims; let tokenClaims: DashboardTokenPayload;
try { try {
tokenClaims = jwt.decode(token as string); tokenClaims = jose.decodeJwt(token as string) as DashboardTokenPayload;
} catch (e) { } catch (e) {
console.error(e);
return Response.BadRequest({ return Response.BadRequest({
success: false, success: false,
message: "Invalid token.", message: `${ERROR_MESSAGE} Could not decode authorization token.`,
}); });
} }
if (tokenClaims === null) { if (tokenClaims.iss !== domain) {
return Response.BadRequest({ return Response.BadRequest({
success: false, success: false,
message: "Invalid token.", message: `${ERROR_MESSAGE} Token iss property is different than domain header.`,
});
}
if ((tokenClaims as DashboardTokenPayload).iss !== saleorDomain) {
return Response.BadRequest({
success: false,
message: "Invalid token.",
}); });
} }
@ -154,35 +148,34 @@ export const withJWTVerified =
try { try {
appId = await getAppId(request); appId = await getAppId(request);
} catch (error) { } catch (error) {
console.error("Error during getting the app ID."); return Response.InternalServerError({
console.error(error);
return Response.BadRequest({
success: false, success: false,
message: "Error during token invalidation - could not obtain the app ID.", message: `${ERROR_MESSAGE} Could not obtain the app ID.`,
}); });
} }
if (!appId || (tokenClaims as DashboardTokenPayload).app !== appId) { if (!appId) {
return Response.BadRequest({ return Response.InternalServerError({
success: false, success: false,
message: "Invalid token.", message: `${ERROR_MESSAGE} No value for app ID.`,
}); });
} }
const jwksClient = jwks({ if (tokenClaims.app !== appId) {
jwksUri: `https://${saleorDomain}/.well-known/jwks.json`, return Response.BadRequest({
}); success: false,
const signingKey = await jwksClient.getSigningKey(); message: `${ERROR_MESSAGE} Token's app property is different than app ID.`,
const signingSecret = });
(signingKey as CertSigningKey).publicKey || (signingKey as RsaSigningKey).rsaPublicKey; }
try { try {
jwt.verify(token as string, signingSecret); const JWKS = jose.createRemoteJWKSet(new URL(jwksUrl(domain)));
await jose.jwtVerify(token, JWKS);
} catch (e) { } catch (e) {
console.error(e); console.error(e);
return Response.BadRequest({ return Response.BadRequest({
success: false, success: false,
message: "Invalid token.", message: `${ERROR_MESSAGE} JWT signature verification failed.`,
}); });
} }